This article was featured in New York’s One Great Story newsletter. Sign up here.
The nightmare began with an annoyance as benign and commonplace as a housefly. “Hi there Matt,” the July 11, 2024, email read. “We received a message from you earlier today through our support page related to a changed password on your account … If you didn’t make a support request,” the sender asked politely, “please let us know.”
Matthew Van Andel, 44, who goes by the nickname Dutch, had never heard of “nullbulge.se,” the domain name that sent the message. It appeared to be a classic phishing attempt, a prompt to get him to reply to the email with personal information. So he marked it as spam, swatting it away with a near-automatic series of clicks. Van Andel worked in technology at Disney corporate in Burbank. He loved his job at “the Happiest Place on Earth”; over his seven years at the company, he and his wife, Nicole, had become Disney adults, taking advantage of discounted park tickets with their two kids. Their house in La Crescenta, where Van Andel was working remotely when he got the email, was filled with Mickey and Star Wars and Marvel memorabilia.
In This Issue #
See All Fifteen minutes later, another message arrived from the same sender. This one took a different tack. “Hi Matt. We regret to inform you we have gained access to certain sensitive information related to your personal life.” Van Andel would have deleted this, too, but he had received exactly the same message on Discord, a platform he used to chat about gaming. And it contained specific information that only a few people could, or should, know. “We noticed you had a conversation with Aadya and Shawn about being at Granville for ‘$veg && $keto,’” it read. That was strange. Aadya and Shawn were Van Andel’s co-workers; “$veg && $keto” was a joke about lunch that Van Andel had made while chatting to them on Slack, the internal-messaging system Disney used, a few days earlier.
Seeing his own private words on the screen, Van Andel messaged Disney’s information-security department. The emails had been sent to his personal account, which he was reading on his personal gaming PC in his home office. Info-sec told him his Slack account and work laptop appeared to be operating normally. Still disturbed, Van Andel deleted the second email. Immediately a third arrived: “You think we didn’t see you mark our first test as spam? Then our actual attempt [at] contact went right in the trash.” Van Andel felt his stomach drop. Someone had live access to his account and was watching him use it.
As an engineer, Van Andel thought he had above-average personal op-sec. He ran anti-virus software on his computer. He used Proton Mail, which encrypts messages between users. He turned on multifactor authentication for serious stuff like iCloud. For the past decade, he depended on a password manager called 1Password, which generates random, long, and complex passwords; stores them; and automatically remembers them whenever a user needs to sign in. For Van Andel, 1Password even managed his multifactor-authentication codes. But his diligent, longtime use of his password manager turned out to be Van Andel’s vulnerability. Having all that information in one handy place meant that once someone else was inside, they had a master key to every aspect of his life: his iCloud, iMessage, emails, photos, PayPal, financial information, medical records, social media, his parents’ financials. Over 1,000 accounts. The only way someone could have gotten into his email was if they had cracked his 1Password; when Van Andel realized they must have access to everything, the room began to spin.
He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
By morning, Van Andel had received a call from Disney info-sec: The intruders had revealed themselves on a blog post celebrating the hack as NullBulge, an activist collective “protecting artists’ rights and ensuring fair compensation for their work,” according to their website. It was later reported that they were Russian furries. They had dumped the contents of Van Andel’s 1Password onto BitTorrent along with his full name — every personal log-in credential, his messages, his bank information, his medical diagnoses, his Amazon account. They’d also managed to access more of Disney’s data than just Van Andel’s Slack messages and published that too: employee Social Security numbers and Slack messages, budget spreadsheets and passport information for the company’s cruise-line workers. It was a massive breach. As people around the world tried to use the information NullBulge had posted, Van Andel’s iPhone began pinging every few seconds with attempts to get into his accounts. Someone logged in to his children’s Roblox profiles and began defacing them with Nazi screeds. Unknown callers left voice-mails. “Dude, your life is over, haha,” one said. “Just leave the country; that’s my advice. Good luck, have fun, and I hope your type 2 diabetes doesn’t get the best of you.” Van Andel raced around the house unplugging Ring cameras and Amazon Echos. Discovering every new potential violation was like learning he was bleeding from a limb he didn’t remember he had. Viscerally, painfully, he could feel the overwhelming breadth and permanence of everything he had ever recorded online, ephemeral and vital and intimate and stupid. Somehow it was only the first wave of exposure he would endure.
Thirteen years ago, intelligence contractor Edward Snowden unmasked the National Security Agency’s global-surveillance apparatus, a dragnet that enabled the U.S. government to spy on pretty much anyone it wanted, whether that meant listening to Angela Merkel’s phone calls or reading the contents of specific Gmail accounts. Snowden later wrote that the agency’s dream was not just to get the information itself but to be able to save it whole, to build a “permanent record”: “to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory.” Agents weren’t sure what might be useful later on, so they wanted to record everything, forever. Snowden’s disclosures unleashed a short-lived reckoning. In 2015, Congress passed legislation ending a number of patriot Act–era policies. Telecom and internet companies were forced to reveal that they often served up our private conversations. End-to-end encryption became a marketing pitch; Proton Mail was directly inspired by the Snowden leak.
While citizens expressed outrage that the government had been listening in on their lives, they spent the next decade and a half steadily creating their own kompromat. Every day, we happily and freely export the texture of our lives to the cloud via our chief stenographer, the smartphone. For the average person, the majority of their waking hours are mediated by typing into a device, producing a running log of thoughts, desires, fears, complaints, questions, habits, interests, and secrets. You’re not just writing emails and texting close friends. You’re writing to everyone: loose federations of group chats, people who watch the same TV shows you do or root for the same sports teams; your neighbors and your local parents’ groups on WhatsApp and Facebook; acquaintances in Instagram DMs; prospects on dating apps; co-workers on Slack. You’re typing into Search, Notes, Venmo. Helpfully, you almost never have to think about whether you really want to keep all of the text, images, and data you generate. The biggest and most dominant platforms offered us free storage, then when they asked us to pay, we obliged. The searchability of this data means the history you’ve generated can sit in an unsorted heap on servers all over the world, yet you can still pluck information from it at will. What was that restaurant you texted me about? What was that book? Show me all my pictures of my nephew. Find me the emails I wrote to my crush while he studied abroad in Sweden in 2010. Especially if you’re a person both old and young enough to have had the same email address for half your life, the same phone number, the same iCloud account, the same password manager, the convenience of transferring it from device to device and backing it up online means a massive personal trove is very likely sitting largely unbroken in the digital ether. Realizing your trove exists is terrifying. So is learning that it’s never been more vulnerable. Cybercrime is rising at harrowing rates, in what one expert has described as “the golden age of hacking.” It can also become exposed to the public through explicitly legal means: See the 2025 lawsuit filed by Elon Musk against Sam Altman and OpenAI, which exposed more than a decade’s worth of group chats and emails among some of the world’s richest men, squabbling over their personal financial stakes in the fate of humankind. Lawyers in that case even got to use material from OpenAI co-founder Greg Brockman’s personal diary. You don’t need to be the target of litigation yourself to find your private conversations suddenly available to a wider audience. It could be your co-worker, your friend, your family member — why else would texts from Matt Damon’s wife, non-famous person Luciana Damon, become a matter of public record? She can thank Blake Lively for suing Justin Baldoni and dragging her texts into discovery. Or consider the extreme blast radius of the Justice Department’s release of the Epstein files, a trove including thousands of emails that revealed, yes, a despicable circle of enablers and apologists but also random correspondents, the digital equivalent of bystanders.
The knee-jerk psychological response to these stories may be to reassure yourself that you, a regular, nice person, are safe because you have nothing to hide. You are not a mogul, a celebrity, or a political dissident. Most of us, however, no matter how seemingly unimportant, conduct ourselves differently in public than we do in the digital realm, our version of behind closed doors. The sanctified chambers of our text bubbles, search bars, and SENT folders are safe spaces to be base, petty, loose, sarcastic, or unkind; to explore a fetish or experiment with a boundary; to speak in the hyperbolic id of the internet. This version of your online self is like a first draft, careless and dashed off, intended for a small set of confidants, not yet appropriately sanitized for public presentation. The problem now is that this private self has been recorded in your trove. Its very existence, and the sheer volume of its contents, means it could be useful, interesting, compromising, or lucrative to someone, somewhere, given the right set of circumstances. The spigot just has to be turned for information you thought no one would see to come flowing out. “Everyone who is smart,” an acquaintance in PR tells me, “is paranoid right now.” Try to assess the state of your digital record and its size and shape becomes too cumbersome to fathom, like opening a door into an endless vault, the junk mixed in with the trade secrets, where you are the lone custodian.
When I start by clicking on my own Google account, I discover the company has saved seemingly everything I have ever looked up, on both my phone and my computer, from 2011 all the way through the search I did just 30 seconds earlier to figure out how to turn off this feature. Then I sign in to my iCloud. I know I turned off the automatic photo backup after an unpleasant incident a few years ago when I opened my laptop at work to see my own nude, taken on my phone, on the computer screen. But I hadn’t thought about iMessage: When I click the little green icon with the chat bubble, a store of 700,000 stares back at me, texts going back at least a decade. I begin imagining everything they might contain, the pieces of myself that, taken out of context, will certainly look nasty, mean, or criminal: a biting comment made in anger about my sister, vented to my boyfriend. A joke he and I routinely like to make during his tourist-filled morning commutes about wanting to “detonate the vest” in Rockefeller Center. As I sit there spiraling, a co-worker Slacks me that she wants to murder one of our colleagues. “JK!!!!!!!!!” I write back, suddenly conscious of the futile ways we like to think we’re protected: using initials to gripe about our bosses, asterisks to hide gossip. “I think I’m a good person, but I talk a lot of shit,” a journalist friend tells me. Worried about both hacking and getting sued, he has begun putting his phone in a Faraday bag when he’s working. “It’s the side chat off the group chat I’m worried about,” another says. “That leaks, I’m dead.” A different friend tells me he doesn’t care much about his texts but worries about his Pornhub search history. “That’s not going to look great,” he says. It’s all hanging over our heads, an invisible sword of Damocles we’ve produced with our own frantic thumbs. (By the time I finish typing this sentence, Google has already recorded my latest search: how to spell “Damocles.”)
If anyone knows what it’s like to experience the public release of nearly everything important and unimportant in their private online life, it’s the survivors of the Sony hack, which remains the Ur-text of digital exposure. In November 2014, North Korean government operatives, according to the FBI, infiltrated Sony’s internal systems in apparent retaliation for the studio’s impending release of Seth Rogen’s film *The Interview, *in which he and James Franco play journalists recruited to assassinate Kim Jong-un. (North Korea denied any involvement in the hack.) That morning, employees were greeted with a terrifying red skeleton and the message “We’ve obtained all your internal data” on their computer screens. Seventy percent of the company’s computers were destroyed. The whole studio ground to a halt; assistants were forced to use their personal emails while working from their own phones and laptops. The hackers meted out stolen information on unreleased movies, executive salaries, and film budgets along with a database of employee complaints (many of them about the studio’s glut of Adam Sandler films). The biggest bomb was a dump of years of content from the Sony email accounts of top executives, starting with chair Amy Pascal, the head of its movie division. Pascal’s emails were particularly juicy given her near-constant rate of correspondence and her powerful role. They were a dizzying mix of perfunctory, glamorous, and humiliating. Pascal used her Sony email to schedule hair appointments, plan vacations with her husband, play hardball with producer Scott Rudin, and soothe the pre-release-day jitters of George Clooney. Reporters seized on messages in which Pascal complained about her diet and ordered intimate personal-care products on Amazon. Particularly damning were the ones that displayed what seems like mostly necessary hobnobbing, schmoozing, and back-channeling in a business with delicate egos — but which in writing make Pascal look two-faced. “You can try my cell anytime,” she wrote to Rogen in August 2014. “I am always here to talk to you.” A few hours later, she wrote about him to a colleague, “I am very annoyed with this and him and it is ruining my vibe.” The most devastating was an exchange with Rudin in which they joked about whether Pascal should ask Barack Obama whether he liked Sony’s movies with Black leads.
Pascal’s co-chairman, Sony’s then-CEO Michael Lynton, still remembers exactly where he was when he learned about the hack: turning onto Bundy Drive in front of a Penguins of Madagascar billboard. A week after Pascal’s emails were dumped, his were too — 12,466 messages in all from 2008 to 2014. On a recent Zoom call, I asked Lynton, 66, lean with a craggy film-noir face, how that felt. He insists that to this day he has never read any of the leaked emails. He was too busy dealing with the FBI and keeping the company running to worry about being embarrassed, he says. Perhaps this fortitude is why friends and acquaintances have gone to him for advice when they were similarly pulled into a high-profile disclosure, lawsuit, or hack. “These are people who didn’t do anything wrong,” he says. “They are just caught up in the wake of someone else’s scandal. And those people ring me up occasionally, and I say, ‘Well, unfortunately, there’s really nothing you can do. Let it run. At some point, they’ll get tired of it.’” As CEO, Lynton was also more discreet than his creative counterparts. “I think I was always cautious about my email, which is one of the reasons why very little came out. Mostly, when it got to a difficult point in an email conversation, I would say, ‘Call me or I’ll call you.’” (In one exchange, responding to a forwarded chain from Pascal in which she tells Rudin to “not fucking threaten” her, Lynton replies, presciently, “You are both crazy to put this in an email.”)
But a plethora of Lynton’s personal information was revealed — how could it not be in six years of private emails? Even a suit as buttoned up as he was used his account to share vulnerabilities, fears, annoyances. To shit-talk is human. There were notes to friends complaining about his job. Sony had a bad fiscal year in 2013, and messages show he offered to give up his bonus but got it anyway. (“The bet paid off,” he wrote in relief to a friend after.) And he didn’t need to say anything damning to appear in an unflattering light since he also showed up in others’ emails. “You know ml will be as rude as possible and try and make me feel AKWARD [sic] instead of loved …,” Pascal wrote to an agent, using Lynton’s initials. “Tell me how to approach ml differently. Read art of war?” I ask Lynton again what it was like to walk into the Sony commissary knowing these private thoughts, by him and about him, were out there. Was it humiliating? Scary? This time, he is adamant, speaking louder. “It wasn’t scary. And to be honest, listening to you going through my email, it upsets me,” he says, shaking his head. “It’s dumpster diving. At the end of the day, this is personal correspondence that was stolen. So if somebody were to say to me, ‘Gee, I didn’t know you felt this way about me,’ I said, ‘What are you doing going through my emails?’” It was, he felt, like rifling through someone’s mail.
I imagine that I too might be upset to be asked on Zoom about the greatest violation of my personal and professional life. Lynton seems particularly outraged by the persistence of it — the fact that 12 years later I can still look up his messages to his wife and to his friend Malcolm Gladwell. In April 2015, WikiLeaks published the Sony trove in an easily searchable database that is alive and well today. The site was blocked on the Sony campus, but everyone was looking at it on their phones, according to assistants who worked for the company at the time. Lower-level employees were “obsessed,” one told me. “Obviously it was both scary and, like, the best gossip that you could ever hope for.” There was some level of solidarity. “Because we were all going through it together, there was an element of ‘There but for the grace of God go I.’ We all do things that if somebody looked through our phone and saw how we talk about our boss or our friend or our co-worker or filmmaker or whoever, it would be really bad. No one is perfect.” That did not keep fellow employees from looking. “Basically any free moment that you had, you were digging around. The first thing you did was type in your own name.”
After Sony, companies around the world, worried about being hacked themselves, upped their security protocols, deleting emails sooner, curtailing administrative privileges in their internal systems, and training employees on phishing. But hackers were becoming more sophisticated. And as businesses took even more of their operations online, just as their employees did with their personal lives, opportunities blossomed. “Cybercriminals are constantly finding new ways to access and exploit readable personal data, in particular when stored in the cloud,” MIT professor Stuart Madnick writes in a 2023 report called “The Continued Threat to Personal Data.” The number of reported data breaches — when hackers steal and release internal data from health-care networks, hospitals, banks, and credit-card companies — rose 78 percent in the U.S. between 2022 and 2023, according to the Identity Theft Resource Center. Phishing and spoofing, which can entail getting a victim to download malware or give up information through a faked item like a PDF, QR code, or CAPTCHA, rose 86 percent in 2025, per a survey by the National Consumers League. Artificial intelligence is, experts say, making all of these threats worse, allowing hacking that once took 12 sophisticated guys working around the clock to be done by one middling dude in a matter of hours. In May, Google revealed that hackers had used AI to find a previously unknown bug in the coding of a “popular open-source, web-based system-administration tool,” which could be any number of widely used platforms. A few days later, researchers at Anthropic claimed that by using the company’s own bug-finding AI model, Mythos, they had been able to get into macOS, once considered a highly secure operating system. All around the world, cybercrime cartels, with names like Scattered Spider and Dragonforce, are franchising their own hacking systems, selling them to smaller groups and taking a cut. Hackers linked to a group called ShinyHunters have successfully used “vishing,” or voice phishing, to get into Okta, a popular security layer I use to log in to my own work accounts. Similar tactics have been used to hack into the back end of Bumble, Hinge, and Panera Bread.
Financial gain remains a primary motivation for hackers. A company will pay to try to avoid a breach of sensitive data, as UnitedHealthcare did after a ransomware attack in 2024, forking over $22 million in bitcoin. But sometimes a hacker just wants to embarrass a target. In March, the pro-Iranian Handala Hack Team published a store of Kash Patel’s personal emails and photos online after he boasted of shutting down some of its web domains. This included lame old pictures of the FBI director posing with cigars and a bottle of rum. Given how dated the material was, experts hypothesized that the hackers were able to get in through a previous data breach. Patel’s log-in credentials had probably been sitting around on the dark web for some time, long before he pissed off the Handala group. Two months later, it was reported that Patel’s own merch site, Based Apparel, was hosting malware that could steal customers’ passwords and crypto-wallet information.
In 2016, shortly before he left Sony, Lynton became chair of the board at Snapchat, now Snap, Inc., which happens to be a platform for messages that disappear. (Nevertheless, in January, a 26-year-old from Illinois was found guilty of using a phishing scam to hack the accounts of 59 women on Snap and sell their nude photos online.) “The one thing I have learned, and not necessarily from just Sony, is that I feel like I got duped by the internet into giving it all my information. And I just don’t choose to do that again,” Lynton says. When I tried to reach Pascal, I got an auto-reply saying that she “no longer uses email.” (Through a representative, she declined to participate in this story.) Apparently, she’s not texting, either. It’s rumored that she’s on Signal.
A decade later, a handful of Sony employees who survived 2014 found their private messages the subject of tabloid fodder once again during the Justin Baldoni–Blake Lively court battle. It Ends With Us, the film over which the stars fought, also happened to be a Sony-financed production, and a few of the executives exposed in the earlier hack were also exposed in the litigation. Sanford Panitch, a Sony executive who appears in dozens of emails from the hack, called Lively a “terroridt [sic]” in a text since made public. Tom Rothman, whose snarky email about Willow and Jaden Smith made headlines during the hack (“they r home schooled: don’t let this family date your movies!!!”), wrote in a text that Lively didn’t deserve backlash, “though she did bring it all on herself.” The release of these messages sent shudders through Hollywood not felt since the 2014 hacking aftermath. It was impossible to imagine that people, at Sony especially, were still writing this stuff down. “Everybody is talking about it,” says the former Sony assistant, who still works in the industry. “Those of us who went through it, it’s like, *Did we learn nothing? *If anything, we’ve gotten way worse.” One person I spoke to guessed that the case is what finally got Pascal off email entirely.
The texts in the Baldoni-Lively scandal came out through e-discovery, an industry that is projected to grow to $28 billion by 2030. In addition to booming third-party companies doing this work, most major law firms now have in-house lawyers dedicated to uncovering every text, Slack, tweet, and email message that might help a client’s case — along with whatever else an opponent has done on a device, personal or professional. “Virtually all discovery is e-discovery now,” says Maura Grossman, a legal practitioner and academic. She co-invented a highly advanced version of technology-assisted review, or TAR, the machine-learning tech that has enabled lawyers to process enormous volumes of electronic records at unprecedented speeds. When a civil lawsuit progresses to the discovery phase, lawyers normally can’t just ask an opposing side to hand over a person’s entire phone or computer, but they can request relevant material from relevant time periods or between relevant parties. AI tech can narrow it down and find related material even if it’s not obvious or explicit. Grossman had a case in Europe involving 250 million documents going back decades, which she says would have taken a team of associates years to comb through with human eyes. With TAR, it took months and was compiled into a readable, searchable database like its own WikiLeaks. “In some litigation areas like antitrust,” she explains, “the discovery has gotten very, very broad. Because people don’t say, ‘Let’s commit a fraud today,’ or ‘Let’s violate the Sherman Act.’” An algorithm can detect patterns and codes. She once had a case in which corporate employees were covering up a scheme by using religious terms. TAR figured them out.
Of course, sometimes people do just write down incredibly damning things. “Psychologically, people think they’re more protected than they are,” says Grossman. “I think there has been a blending of what is personal and professional, and people got more casual because of that.” The pandemic made this worse — people weren’t even changing their clothes between work and home. Back in the office, colleagues became used to chatting over apps like Slack to people sitting a few feet away. BYOD (the widely used corporate policy “Bring your own device”) hasn’t helped either. When you’re using the same phone for your work and the rest of your life, “you don’t really change your voice all that much,” Grossman says. Think of the secretary of War and other government officials chatting in Signal about bombing the Houthis, using an American flag and a fist-bump emoji. The Justice Department recently won an antitrust case against Live Nation that included Slack messages about customers, in which one employee openly joked to another that they were “robbing them blind baby … that’s how we do.” (“Lol,” his colleague replied.) Recently, Grossman has seen an increase in litigation requests for automatic transcripts from online meetings, phone calls, and other AI-enabled recordings as evidence. “That’s the next thing I would worry about,” she says. “People don’t remember they’re being recorded. And those transcripts are kept by those companies and can be court-ordered into discovery.”
“People are creating records that they never would have 20 years ago, even ten years ago,” another e-discovery expert tells me. “It used to be really hard to find the smoking gun. It still can be pretty hard to find the smoking gun. But there’s a lot more fruit out there, a lot more potential.” Jonathan Steele, a family lawyer in Chicago, says written communication is changing divorces and custody battles. Families in conflict often now use chat apps like OurFamilyWizard, which can backfire if a client gets heated or offensive, even accidentally. For this reason, he has adopted an AI “tone meter” that can check clients’ messages for aggression or rudeness. During a recent order-of-protection trial, the opposing side presented iMessages from a client’s phone dating back to 2011, a 4,000-page PDF, all because one person had their iCloud backup set to “forever.” (After this interview, I decided to delete my own 700,000 iCloud messages.)
Yet a trove can be weaponized even after you think you’ve successfully deleted it. Like TAR, forensic extraction has improved dramatically. Experts can pull up metadata, backups, and other hidden traces of digital records that have been wiped or reset. Anthony Pusch and Chi-Hung David Nguyen, personal-injury attorneys well known in Houston for billboards with the punny slogan “We Push, You Win,” have been locked in ugly litigation over the dissolution of their firm for over a year. Nguyen has opened a rival shop across the highway from Pusch; Pusch found a new attorney with the last name Wynne, enabling him to keep the same tagline. In court this spring, Pusch introduced dozens of texts taken from a computer Nguyen left in his office (but says was not company property) as well as a work MacBook used by his brother, John, the firm’s former COO. Though both men say they logged out of their iCloud accounts on each device and wiped all their contents — or at least they thought they did — Pusch was able to access 5,000 pages of messages from both, including private communications between spouses and family members. The brothers say he must have used forensics to extract the data; an attorney for Pusch says it wasn’t necessary.
Pusch’s attorneys introduced selected texts from the Nguyens in court to allege they were conspiring against him and covering it up. But the brothers dispute this, saying the messages have been cherry-picked to make them sound like cartoon villains. One from John saying of the firm, “Pretty annoying we have to blow it up,” for example, referred to having to fire a particular department head. Texts from Chi-Hung to a friend calling Pusch a “POS” with a firm that “will never get past the current stage because he is too dumb” were immaterial. “I didn’t know it’s a breach of my fiduciary duty because I hurt your feelings, bro,” Chi-Hung said to me recently on a call from Houston. “It’s incredibly violating. Just imagine the person that was trying to freaking take you out right now has all your text messages.” For Pusch, the messages speak for themselves. “If you’re gonna commit a crime and if you’re gonna conspire,” he told me, “maybe don’t upload it to the cloud.” And it’s not just about text messages anymore: Pusch’s lawyers are currently trying to subpoena Chi-Hung’s chatbot conversations, citing a recent court case in New York that has deemed ChatGPT history discoverable.
Dutch Van Andel, the Disney engineer in La Crescenta, thought he had endured the worst kind of digital exposure possible when he was hacked. After July 11, 2024, Disney put him on paid administrative leave so he could continue to clean up the NullBulge mess. He felt lucky the company was being so understanding. He had somehow gotten out of it without any massive impact, it seemed: no intimate photos on the internet, no financial loss. Van Andel dropped off his work laptop at Disney so the company could continue to investigate the hack. But on July 22, less than two weeks later, he got a call from a Disney HR executive. She said he was being terminated for accessing pornographic material on his work laptop in violation of company policy. “No,” Van Andel said. “I’m the guy that was hacked. You must have the wrong person.” The executive insisted her information was correct and told him he would be receiving his termination documents. (Disney did not respond to requests for comment.)
Van Andel hung up the phone in shock. He had never looked at anything inappropriate on his work laptop. What could they possibly be talking about? As the summer went on, he could barely sleep, plagued by nightmares that a massive stuffed Mickey was chasing his kids. He learned his family’s health benefits would soon be ending, including specialist treatment for his son with autism. Disney would be contesting his unemployment benefits from the state because he had been fired for misconduct. Many of his former co-workers weren’t responding to his texts. Van Andel worried that his firing had led people to believe the claim the hackers made on their website when they released the Disney data: that he had been their “inside man.” Now there must be rumors about the explicit material. He parsed his own data records to try to figure out what Disney could possibly have seen on his work laptop. The only thing he was able to find were URLs of Safari links to porn sites on his personal iCloud account — but he had visited them at home, on his own PC. He used Firefox at work. Like him, he reasoned, Disney engineers would have been able to see metadata associated with the URLs that showed exactly where they had been accessed: on his personal devices.
In 2025, Van Andel sued Disney, bringing six separate claims, including wrongful termination, whistleblower retaliation, invasion of privacy, and intentional infliction of emotional distress — all of which Disney denies. He had, he argued, been illegally hacked by NullBulge, then again by his own employer. Disney IT employees and executives had taken his laptop and, instead of chasing down their own exposure, seemingly used it to get into his iCloud — Van Andel still doesn’t know exactly how. Then, as far as he could tell, they looked at his personal, private browser history; shared it among themselves; and used it against him. It felt almost akin to revenge porn. Van Andel and his attorneys say Disney was embarrassed by the lack of security in Slack, about which Van Andel himself had raised concerns. If Disney had better protocols in place, he believes that even after the hackers got into his Slack account, they wouldn’t have had access to the corporate material that was exposed. Facing class-action lawsuits from people whose information had been breached, the attorneys argued, the company needed a scapegoat.
The humiliation would continue. Once he filed the lawsuit, the e-discovery process meant Van Andel was exposed all over again. Disney eventually produced a huge cache of files, shared with Van Andel’s attorneys, Disney’s attorneys, the judge in his case, and employees of the court, which Disney says came from Van Andel’s work laptop, though Van Andel insists they were clearly extracted from his iCloud. Included was a spreadsheet containing hundreds of file names the company claimed were for explicit images. Van Andel could see only their metadata, so he had to imagine what they contained. Did he and his wife have intimate photos sitting somewhere they’d forgotten about? It was possible. They had been together for 12 years. Disney produced another spreadsheet, labeled “Porno URLs,” along with a massive PDF containing images from the website pages the company said Van Andel had visited, with dates and time stamps for it all: his visits to xHamster; links he’d clicked on Pornhub; that he’d looked up “Bluey” on Rule 34, a site offering erotic imagery related to nearly any character or world. It didn’t matter, of course, that watching porn is something many people do, undoubtedly many who work at Disney. It didn’t matter that Disney had no context for the links. Viewing the list en masse made Van Andel feel like some sort of deviant. When Disney presented the URLs to him and his lawyers, the company claimed the links were unusually explicit and included bestiality and incest, which Van Andel denies. (Does a blue cartoon dog count as bestiality?) If his lawsuit goes to trial, Disney could use items from the e-discovery again in court — and this time, they would be public. And if Disney is able to successfully take a work device to get into an employee’s personal cloud and use what it finds to fire that person, Van Andel’s attorneys say it will have massive implications for digital privacy.
Earlier this year, the FBI revealed that NullBulge was not in fact a furry hacker collective from Russia but a 25-year-old in Santa Clarita named Ryan Kramer. He had decided to infiltrate Disney and post about it, seemingly for clout and chaos alone. He pleaded guilty and was sentenced to 15 months in prison. Somehow, Van Andel has found it in his heart to feel bad for the guy. “He hurt our kids. He hurt me. He destroyed our lives,” Van Andel told me when I met him on a park bench in April. He is a tall, large man with a stick-straight handlebar mustache and a quiet voice whose green Crocs matched his polo shirt. “If Disney hadn’t done what they did, though, I’d have been fine.” Van Andel was finally able to get a new tech job at the end of last year, but his trove is still out there on BitTorrent. He struggles with depression. “The feeling of safety is gone,” he says. “Who is watching you from the shadows? Do they still have access to things? Like, are they judging you somewhere?”
There are specialists for whom cleaning up and locking down one’s digital record is a matter of obsession. I wanted to find someone who could assess my own vulnerability and help me downsize. I imagined putting my phone and computer through a kind of Prenuvo machine that would spit out a list of all the places I might be digitally sick. On a recent muggy afternoon, I meet with Alec Harris, a muscled bald guy in a black T-shirt who makes friendly but intense eye contact. As a deep-privacy expert, Harris has what could be described as extreme op-sec. He gets mail at a P.O. box; his house, which he bought through an LLC, is blurred in Google Maps. He uses hundreds of throwaway email accounts for everything he has to do online and several burner cell-phone numbers.
Through his company, havenX, he helps his clients disappear their digital footprint; typically, they are extremely wealthy or crypto whales looking to prevent bitcoin kidnappings. Lately, though, more and more are normal people worried about how much personal information they’ve left out there about themselves: people who have used the same password for everything and have seen it come out in a data breach or journalists concerned about the recent raids on reporters’ homes and high-profile lawsuits against newsrooms. He says his L.A. clients are still talking about Sony. “It’s surprising, especially with artificial intelligence, that there hasn’t been another disclosure event of that scale,” he says. “It’s only a matter of time.”
Harris explains that, not unlike the government, tech companies prefer your data to be stored forever and constantly accumulating. It is most valuable that way, scaled to unimaginable heights and tied to a single person with a verified identity. Same for the third-party data-broker industry that packages our personal information and sells it to the highest bidder. I start telling Harris about how long I’ve been using the same accounts and how that worries me. “I’ve used an iPhone for half my life. I’m 36 this week — ” “We know,” he interrupts gravely. Harris and his team have been conducting a targeted “digital-vulnerability assessment” of me for the past two weeks using only my full name and occupation as a starting point, a service that would normally cost between $10,000 and $20,000. The result, which Harris sends to my laptop via AirDrop, is a 31-page dossier containing everything they were able to pull from the internet about me. My email address has been exposed in 14 data breaches since 2013, the report says. It lists old passwords I continue to use. Other information from breaches forms a kind of scaffolding of the past decade of my life: that I bought a tie-dye kit on Etsy in 2015, that I tried to learn Czech on Duolingo in 2018 for an ex-boyfriend, that I used a weight-loss app in 2022. Then Harris shows me how, if someone were trying to hack into my accounts, they could throw all this available information into an LLM to generate a highly convincing phishing attack, a practice called “social engineering.” The example he gives is a stilted but plausible invitation to join a book club.
I ask Harris to lay out the possible remedies for what he has officially deemed a “moderate high risk” situation. First, I need to do a sweep of all the old app and website accounts I’ve left behind and delete them (I could get rid of my long-dormant Co-Star astrology account, for example). I need to start using a password manager; he recommends the Apple one that comes with my phone. I should use it with two-factor authentication. I already use a data-removal service called Optery to take down the bits and pieces of information about me being sold by those data brokers that have made their way onto the web — that’s good. Don’t use WhatsApp; it’s not secure enough. For messaging, he prefers something ephemeral like Signal, but iMessage is end-to-end encrypted, so it is pretty secure (though still potentially discoverable in a lawsuit). But don’t keep iMessages on my computer. Even if I log off, they might leave a trace that could later be extracted by forensics. Certainly don’t use iMessages on my work computer — don’t do anything personal on my work computer. (During our meeting, my work laptop asks me to sign in to my Apple account multiple times.) Turn off retention of my messages and make sure they aren’t being backed up somewhere. Use a VPN to hide my internet browsing. Don’t use Google; it tracks too much. Use Firefox instead. Do not join public Wi-Fi networks without a VPN, lest someone stage a man-in-the-middle attack, spoof the Wi-Fi, and get inside my device. I should be using dummy emails and at least one dummy phone number. When I want to say something important, I should pick up the phone. Walk into someone’s office. Don’t write it down.
No matter how much I clean up my own trove, though, I am undoubtedly exposed in someone else’s — what Harris calls “concentric circles of risk.” Even the privacy guys I spoke to who are so adamant about walling off their communications that they’re building autonomous internal networks can’t manage to get their own families onboard. Harris finally persuaded his wife to use Signal, but they often just text anyway. Accordingly, Harris tells me his team was able to learn the most about me from my mom’s public Facebook posts.
At this point, he can see I feel daunted. He encourages me to start with the little things — password manager, VPN — and go from there. Harris wants me, essentially, to wake up. We’ve come to use digital devices and platforms as unconsciously as we turn on a faucet or flick on a light, but the smartphone is not a public utility. These methods we use to connect are owned by other people, private companies leveraging my trove for profit. Why should I trust them any more than NullBulge not to spy on it, steal it, or sell it all?
A few days later on the train home from work, I receive in my Gmail inbox what I think is an invitation to a birthday party from my friend who lives in Philadelphia. I click the button in the email; it takes me to a website that asks me to click to verify I am human. But I lose service and, fortunately, it stalls out. An hour later, only as I look at the email again, the subject line — “YOU’RE INVITED!” — seems overly exuberant, oddly impersonal. I hover over the link, realizing it is an obvious phishing scam. Panicking, I begin to picture what level of humiliation or destruction I would be able to tolerate. Did I log in to my bank after clicking the link? Did I sign in to my email? There was no point in trying to calculate the potential destruction. What’s already out there, Harris told me during our conversation, I have to let go. We can’t put the toothpaste back in the tube. All we can try to do is stop making so many tubes all the time. But I still can’t stop imaging it: Everything I have ever typed is a ghost that could come back out of the cloud to haunt me, to pop up in the middle of the night and say “boo.”